Hey there, curious minds! Ready to dive into the world of cybersecurity threats? Let’s take a look at some of the fascinating activities of selected advanced persistent threat (APT) groups that ESET Research has been investigating in the last few months.
From October 2025 to March 2026, our researchers have been keeping a close eye on the actions of various APT groups worldwide. One key trend we’ve observed is the high level of activity from China-aligned threat actors. These groups have been busy conducting espionage campaigns, particularly in areas related to maritime, energy, and politics. For example, FamousSparrow targeted a Venezuelan governmental entity linked to maritime affairs, while SteppeDriver focused on a Syrian governmental network. These activities reflect China’s economic interests and security concerns in these regions.
Meanwhile, Iran-aligned activity saw a decline during the Iran war that started in late February 2026 due to internet restrictions imposed by the Iranian regime. This environment, however, saw an increase in proxy and hacktivist actors targeting countries like Israel and the United States. Some unattributed groups, like Rusty Boots and MoKhargosh, displayed both espionage capabilities and destructive potential, adding an unpredictable element to the threat landscape.
North Korea-aligned threat actors continued their targeting of developers and the cryptocurrency ecosystem. Lazarus and DeceptiveDevelopment maintained their focus on high-value targets, while Kimsuky and Konni opted for more opportunistic attacks. We also saw the reappearance of Andariel in South Korea, targeting companies involved in liquid hydrogen handling and the nuclear industry, aligning with North Korea’s strategic interests.
Russia-aligned threat actors concentrated their efforts on Ukraine, deploying various implants and wipers against military personnel and organizations involved in defense efforts. Sandworm, in particular, stepped up its destructive activities, even targeting a Polish energy company in December 2025. This incident, attributed to Sandworm, highlights the potential impact of these attacks on critical infrastructure.
These are just a few highlights from our extensive research into APT activities. For more detailed insights and analysis, be sure to check out the full ESET Threat Intelligence APT Reports on our website. Stay safe and stay informed with ESET products protecting you every step of the way.
